CVE-2025-28992: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability was discovered in snstheme SNS Anton WordPress theme versions through 4.1. The vulnerability was identified on June 9, 2025, and assigned CVE-2025-28992. This security flaw allows unauthenticated attackers to include local files of the target website (Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) issue, identified as CWE-98. It received a CVSS v3.1 Base Score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (CVE, Patchstack).

The vulnerability could allow malicious actors to access and display the contents of local files on the target website. This could potentially expose sensitive information such as database credentials, depending on the server configuration, which could lead to complete database compromise (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate the issue by blocking potential attacks until an official fix becomes available (Patchstack).